Issue In Vaadin while using in Embeded

Flow
1

I have created my application in Vaadin 14 and I display that application in my website inside IFrame and It shows an error like Cookies are disabled.

This issue happens in Chrome as chrome introduce a new cookie flag SameSite for security reason.

Please follow the below step to reproduce the issue.

  1. Download Chrome Canary , then install and launch it.

  2. In Canary, navigate to chrome://settings/help and verify that you see Google Chrome is up to date, if not then update Canary.

  3. Navigate to chrome://flags/#samesite and enable these three SameSite flags:

SameSite by default cookies

Enable removing SameSite=None cookies

Cookies without SameSite must be secure

18124834.png

2

So it is probably related to this

https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html

Could you open a ticket at https://github.com/vaadin/flow/issues and include simple test app

3

Tatu, I really appreciate for your response.
I posted the issue in github please check below link.
https://github.com/vaadin/flow/issues/7736

4

Is there any workaround for this issue ?

5

Tatu Lund:
So it is probably related to this

https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html

Could you open a ticket at https://github.com/vaadin/flow/issues and include simple test app

Can you please tell me when the Vaadin creates the session cookies ?

6

JSESSION cookie is not created by Vaadin, but the container where the Vaadin app is being run. So you need check how it is configured in your setup depending on are you using Tomcat etc.

7

I solved that problem by making few changes on server configuration.

If you are using tomcat server than please add following lines to conf/context.xml file.

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="None" />

If you are using spring boot embeded tomcat than you need to create configuration class like below

import org.apache.tomcat.util.http.LegacyCookieProcessor;
import org.apache.tomcat.util.http.SameSiteCookies;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class LegacyCookieProcessorConfiguration {

	// tag::customizer[]
	@Bean
	public WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
		return (factory) -> factory.addContextCustomizers((context) -> {
			LegacyCookieProcessor legacyCookieProcessor = new LegacyCookieProcessor();
			legacyCookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
			context.setCookieProcessor(legacyCookieProcessor);
		});
	}
	// end::customizer[]

}
8

Imran Momin:
I solved that problem by making few changes on server configuration.

If you are using tomcat server than please add following lines to conf/context.xml file.

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="None" />

If you are using spring boot embeded tomcat than you need to create configuration class like below

import org.apache.tomcat.util.http.LegacyCookieProcessor;
import org.apache.tomcat.util.http.SameSiteCookies;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class LegacyCookieProcessorConfiguration {

	// tag::customizer[]
	@Bean
	public WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
		return (factory) -> factory.addContextCustomizers((context) -> {
			LegacyCookieProcessor legacyCookieProcessor = new LegacyCookieProcessor();
			legacyCookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
			context.setCookieProcessor(legacyCookieProcessor);
		});
	}
	// end::customizer[]

}

I only use HttpServletResponse response.addCookie(tokenCookie);
It works

9

Imran Momin:

@Configuration
public class LegacyCookieProcessorConfiguration {

	@Bean
	public WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
		return (factory) -> factory.addContextCustomizers((context) -> {
			LegacyCookieProcessor legacyCookieProcessor = new LegacyCookieProcessor();
			legacyCookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
			context.setCookieProcessor(legacyCookieProcessor);
		});
	}
}

Okay so this almost worked out of the box for me.

I have two profiles where one configures http and the other https.
I could only run Irmans code while configuring https.
If if run the code with http the login page reloads continiously in enormous speed.

So by limiting the above code with “@Profile("prod") // https” it works.